The SEI helps advance software engineering principles and practices and serves as a national resource in software engineering, computer security, and process improvement. The SEI works closely with defense and government organizations, industry, and academia to continually improve software-intensive systems. Its core purpose is to help organizations improve their software engineering capabilities and develop or acquire the right software, defect free, within budget and on time, every time.

Covert Buffer Overflow Detector

Covert is a tool for finding buffer overflows in C programs. It is based on a combination of software model checking and static analysis. Covert can be used both from the command line and via an Eclipse-based graphical user interface. Both Linux and Windows platforms are supported.

Covert transforms buffer overflow problems into assertion violations and then uses a C analysis engine to find possible violations of these assertions. When a buffer overflow is detected, Covert also emits a program trace that exhibits the error. The transformation of buffer overflows into assertion violations is achieved via an extension of the CIL tool.

Covert focuses primarily on buffer overflows caused by string manipulation routines, and is not suitable for finding arbitrary buffer overflows. At present, it is able to detect overflows caused by most common, but not all, string manipulation routines.